I’m having an issue with my Haproxy installtion. I’m trying to get TLS 1.3 working successfully. when using the SSL test site, 1.3 is not being served.
I have made the required changes in the .cfg file, but I think the problem is the version of OpenSSL HAProxy is built withm which is 1.0.2g. Here’s the output from haproxy -vv
HA-Proxy version 1.8.24-1ppa1~xenial 2020/02/16 Copyright 2000-2020 Willy Tarreau <firstname.lastname@example.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 Built with Lua version : Lua 5.3.1 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Encrypted password support via crypt(3): yes Built with multi-threading support. Built with PCRE2 version : 10.21 2016-01-12 PCRE2 library supports JIT : yes Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with network namespace support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace
I can see that TLSv1.3 is not supported. Here’s the output from openssl version
OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1d 10 Sep 2019)
So OpenSSL is the required version, I just don’t know how to link HAProxy to use the newer libraries. I’m not an expert on these things. I’ve tried to remove current version of HAProxy and reinstall, but this made no difference. I’m assuming I will have to build from source, but I not sure how I go about this without affecting any other services that are depenant on OpenSSL libraries.
Sorry if this is a novice question, but I’m an Windows man, dabbling in a bit of Linux.
Any help would be very much appreciated.